Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP AntiMalware (ave.exe)


  • This topic is locked This topic is locked
23 replies to this topic

#1 autoprime

autoprime

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 March 2010 - 11:02 AM

Hello Bleep,

I went on Isohunt to download a film, the second I click on the link, the 'XP AntiMalware' start to pop-up (I believe this is the cause).

It put an icon on the right system tray which I can't close down. Also keep poping up alerts and fake scans of report indicating infected files in the computer. The pop-up looks exactly just like the XP Security control. I ran the Ad-Aware the first time, which detect a malware of 'copying your key stroke'. Ad-Aware said it removed it and then I restart the computer, but unfortunately the same thing happens again.

I would appreciate advice on how to remove this malware. I noted several similar topics on the forum, but not sure how best to proceed.

Thanks!

Edited by autoprime, 25 March 2010 - 11:03 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 25 March 2010 - 01:54 PM

As no logs have been posted, I am shifting this topic from the specialized Malware Removal forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.


Edited by elise025, 25 March 2010 - 01:55 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 March 2010 - 12:02 PM

Sorry I couldn't add the log in time because the GMER scan took quite a long time, and the computer froze after long period. Now, I got the DDS.txt and Attach.txt files. I will get the GMER scan file again and post everything here, unless you guys specifically say no.

Thanks,
Autoprime

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 26 March 2010 - 02:11 PM

No need to make a new topic smile.gif

You can just post them here, and as soon as you have done that, I'll move us back.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 27 March 2010 - 04:12 AM

Here is the DDS log and Attach.txt. I'm still getting the GMER scan log! It keeps froze after scan complete. mad.gif Will get it today!

This is a continuing thread from above Re: Help with getting rid of malwalre - XP AntiMalware (ave.exe)

DDS (Ver_10-03-17.01) - NTFSx86
Run by Alex Toh at 16:55:45.76 on 25/03/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.442 [GMT 0:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Alex Toh\Local Settings\Application Data\ave.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex Toh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [Power2GoExpress]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware 2007\Ad-Watch2007.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Wireless Manager] "c:\program files\virgin broadband wireless\Wireless Manager.exe" startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by105w.bay105.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - hxxp://www.telewest.co.uk/motive/files/MotivePreQual.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {4BA78C61-2942-4A99-B42F-A872F174245F} = 85.255.112.39,85.255.112.40
TCP: {D9386252-E383-47B2-8255-40F35A98569E} = 85.255.112.39,85.255.112.40
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alexto~1\applic~1\mozilla\firefox\profiles\y7xk6f9w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-26 64288]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-3-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-3-15 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-9-29 353680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-3-7 32512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-17 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080116.038\NAVENG.SYS [2008-1-17 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080116.038\NAVEX15.SYS [2008-1-17 895312]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-9-9 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-9-9 51840]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2005-9-9 89749]
S4 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [2005-9-9 54872]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-03-25 16:32:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-07 22:35:46 81920 ----a-w- c:\windows\system32\packet.dll
2010-03-07 22:35:46 61440 ----a-w- c:\windows\system32\wanpacket.dll
2010-03-07 22:35:46 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2010-03-07 22:35:46 32512 ----a-w- c:\windows\system32\drivers\npf.sys
2010-03-07 22:35:46 233472 ----a-w- c:\windows\system32\wpcap.dll
2010-03-07 22:35:46 0 d-----w- c:\program files\WinPcap
2010-03-07 22:35:45 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2010-03-07 22:35:37 0 d-----w- c:\program files\Virgin Broadband Wireless
2010-03-07 22:35:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Affinegy
2010-03-04 01:13:48 5632 --sha-w- c:\documents and settings\alex toh\Thumbs.db

==================== Find3M ====================

2010-03-25 16:32:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 15:06:56 44808 ---ha-w- c:\windows\system32\mlfcache.dat
2007-04-23 14:21:16 269824 -c--a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-04-23 14:11:54 224896 -c--a-w- c:\windows\inf\wg111v3\wg111v3.sys
2006-12-15 11:30:36 98304 -c--a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30:36 66048 -c--a-w- c:\windows\inf\wg111v3\EAPPkt.sys
2006-12-15 11:30:36 315392 -c--a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30:36 28672 -c--a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30:36 212992 -c--a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30:36 20480 -c--a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30:36 19968 -c--a-w- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 16:56:54.60 ===============


#6 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 27 March 2010 - 04:22 AM

Sorry, there is no attachement button in this forum reply section?? I can't attach the Attach.txt file!

Edited by autoprime, 27 March 2010 - 04:22 AM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 27 March 2010 - 04:52 AM

I'm moving this now, but please just copy/paste attach.txt, that makes it a lot easier for me (no need to download the file).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 27 March 2010 - 06:32 AM

Here is the Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 07/01/2006 13:32:47
System Uptime: 25/03/2010 16:28:30 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A8N-VM
Processor: AMD Athlon™64 X2 Dual Core Processor 3800+ | CPU 1 | 2009/200mhz
Processor: AMD Athlon™64 X2 Dual Core Processor 3800+ | CPU 1 | 2009/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 34.794 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AV
BeClean
Before You Know It 3.6
BitLord 1.1
Bonjour
ccCommon
Compatibility Pack for the 2007 Office system
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Google Earth
H.264 Decoder
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Internet Worm Protection
iPod for Windows 2006-03-23
iPod for Windows 2006-06-28
iTunes
Java Auto Updater
Java™ 6 Update 18
LimeWire 4.10.9
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Map Button (Windows Live Toolbar)
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Speech API 4.0
Microsoft Text-to-Speech Engine
Microsoft Works
MKV Splitter
Mozilla Firefox (3.6.2pre)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NETGEAR WG111v3 wireless USB 2.0 adapter
NJStar Chinese WP
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
PhotoNow! 1.0
Popup Blocker (Windows Live Toolbar)
Power2Go 4.0
PowerBackup 1.0
PowerCinema 4.0
PowerDirector Express
PowerDVD
PowerDVD Copy 1.0
PowerISO
PowerStarter
QuickTime
Rapport
RealPlayer
Samsung CLP-300 Series
Scion Image 4.0.3.2
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Skype 3.1
Smart Menus (Windows Live Toolbar)
SoulSeek Client 156b
SPBBC 32bit
SUPERAntiSpyware Free Edition
Symantec
Symantec Real Time Storage Protection Component
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB955839)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
Veoh Web Player
VeohTV BETA
VideoLAN VLC media player 0.8.4a
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinRAR archiver
Wireless Manager
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

25/03/2010 16:56:17, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the rpcapd service.
25/03/2010 16:29:49, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The system cannot find the path specified.
25/03/2010 16:18:27, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
25/03/2010 14:15:45, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 14:15:14, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/03/2010 14:13:47, error: Service Control Manager [7031] - The Google Updater Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
25/03/2010 14:13:44, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/03/2010 14:12:58, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 14:12:54, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 3 time(s).
25/03/2010 14:12:40, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/03/2010 14:01:25, error: Service Control Manager [7034] - The Remote Packet Capture Protocol v.0 (experimental) service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 14:01:18, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
25/03/2010 14:00:49, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/03/2010 14:00:47, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
25/03/2010 14:00:13, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 13:59:41, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/03/2010 13:59:37, error: Service Control Manager [7034] - The AffinegyService service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 13:59:23, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
25/03/2010 13:59:01, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 13:58:31, error: Service Control Manager [7031] - The Google Updater Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 900000 milliseconds: Restart the service.
25/03/2010 13:58:18, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
25/03/2010 13:55:02, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Virgin Broadband Wireless\Microsoft.VC80.MFC\MFC80.DLL. Reference error message: The operation completed successfully. .
25/03/2010 13:55:02, error: SideBySide [58] - Syntax error in manifest or policy file "C:\Program Files\Virgin Broadband Wireless\Microsoft.VC80.MFC\Microsoft.VC80.MFCLOC.MANIFEST" on line 5.
25/03/2010 13:55:01, error: SideBySide [34] - Component identity found in manifest does not match the identity of the component requested
25/03/2010 13:10:09, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
25/03/2010 13:09:37, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 804f44be.
24/03/2010 17:48:39, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0015F262C528. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 27 March 2010 - 06:46 AM

Hello again,

P2P WARNING
-------------------
Going over your logs I noticed that you have BitLord installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitLord, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 27 March 2010 - 05:38 PM

Here is the Combofix log. Thanks for your effort.

ComboFix 10-03-26.02 - Alex Toh 27/03/2010 22:06:12.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.579 [GMT 0:00]
Running from: c:\documents and settings\Alex Toh\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Alex Toh\Local Settings\Application Data\ave.exe
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\settings.dat
c:\program files\Need2Find\bar\Settings\settings.dat.bak
c:\program files\Need2Find\bar\Settings\settings.htm
c:\program files\Need2Find\bar\Settings\settings.htm.bak
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-1275210071-602162358-839522115-1003
c:\recycler\S-1-5-21-3099752261-4092654856-2205631516-1003
c:\windows\smdat32m.sys
c:\windows\system32\drivers\gaopdxvwrxwnqq.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxkkmkgxao.dll
c:\windows\system32\images
c:\windows\system32\images\3models.gif
c:\windows\system32\images\but3_off.gif
c:\windows\system32\images\but3_on.gif
c:\windows\system32\images\main_bot.gif
c:\windows\system32\images\main_mid.gif
c:\windows\system32\images\main_top.gif
c:\windows\system32\images\model1.gif
c:\windows\system32\images\panel_bot.gif
c:\windows\system32\images\panel_top.gif
c:\windows\system32\images\pc.gif
c:\windows\system32\images\pcw_award_cover.gif
c:\windows\system32\images\pcwcover.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\images\topoff.gif
c:\windows\system32\images\topon.gif
c:\windows\system32\images\webscreen.gif
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_gaopdxserv.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-25 16:33 . 2010-03-25 16:33 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 13:46 . 2010-03-27 19:28 204800 --sha-w- c:\documents and settings\Alex Toh\Local Settings\Application Data\3292048846.dll
2010-03-07 22:35 . 2008-05-26 16:09 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys
2010-03-07 22:35 . 2010-03-07 22:36 -------- d-----w- c:\program files\Virgin Broadband Wireless
2010-03-07 22:35 . 2010-03-07 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 19:16 . 2006-07-13 15:10 -------- d-----w- c:\program files\BeClean
2010-03-25 16:33 . 2010-03-25 16:33 348160 ----a-w- c:\documents and settings\Alex Toh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa76bf4-n\msvcr71.dll
2010-03-25 16:33 . 2010-03-25 16:33 503808 ----a-w- c:\documents and settings\Alex Toh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa76bf4-n\msvcp71.dll
2010-03-25 16:33 . 2010-03-25 16:33 499712 ----a-w- c:\documents and settings\Alex Toh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7aa76bf4-n\jmc.dll
2010-03-25 16:33 . 2010-03-25 16:33 61440 ----a-w- c:\documents and settings\Alex Toh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-10a5ddb1-n\decora-sse.dll
2010-03-25 16:33 . 2010-03-25 16:33 12800 ----a-w- c:\documents and settings\Alex Toh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-10a5ddb1-n\decora-d3d.dll
2010-03-25 16:32 . 2009-02-22 22:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-25 16:24 . 2009-10-26 11:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-03-25 16:24 . 2006-01-14 12:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-25 16:22 . 2005-09-09 16:30 -------- d-----w- c:\program files\Java
2010-03-25 16:10 . 2006-01-14 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-25 16:09 . 2006-01-14 23:11 -------- d-----w- c:\program files\Google
2010-03-25 15:30 . 2006-01-14 12:47 -------- d-----w- c:\program files\Lavasoft
2010-03-25 15:30 . 2009-10-26 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-25 14:19 . 2007-10-01 15:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-17 16:22 . 2006-01-11 15:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-16 18:03 . 2006-01-11 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-04 01:13 . 2007-08-24 23:27 -------- d-----w- c:\documents and settings\Alex Toh\Application Data\LimeWire
2010-03-04 01:11 . 2006-12-06 11:02 -------- d-----w- c:\program files\Windows Live Toolbar
2010-03-04 01:11 . 2005-09-09 16:49 -------- d-----w- c:\program files\Windows Media Connect
2010-03-04 01:11 . 2006-05-25 10:37 -------- d-----w- c:\program files\LimeWire
2010-03-04 01:11 . 2006-01-03 17:26 -------- d-----w- c:\program files\Mesh Online
2010-03-04 01:11 . 2008-02-17 00:36 -------- d-----w- c:\program files\DivX
2010-02-21 23:32 . 2010-02-22 11:58 2437120 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2010-02-17 23:38 . 2010-02-18 20:03 3060224 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2010-02-14 11:09 . 2010-02-14 11:01 -------- d-----w- c:\program files\Microsoft Office 2007 Portable
2010-02-14 10:27 . 2010-02-14 10:27 53248 ----a-w- c:\documents and settings\Alex Toh\Application Data\Thinstall\Microsoft Office Enterprise 2007\4000003300002h\navw32.exe
2010-02-14 10:23 . 2009-01-29 17:22 -------- d-----w- c:\documents and settings\Alex Toh\Application Data\Thinstall
2010-02-03 21:09 . 2010-02-03 21:09 -------- d-----w- c:\documents and settings\Alex Toh\Application Data\dvdcss
2010-02-02 18:18 . 2009-10-01 19:47 -------- d-----w- c:\program files\Bonjour
2010-02-02 00:51 . 2010-02-02 17:59 3736064 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2010-01-14 20:10 . 2010-01-14 20:11 4593664 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-01-03 15:06 . 2010-01-03 15:06 44808 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-30 01:45 . 2009-12-30 18:21 2688512 ----a-w- c:\windows\Internet Logs\xDB9.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-06 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-06-07 507904]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-01-17 180269]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [26/10/2009 11:30 64288]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 13:47 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 13:47 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [27/02/2007 11:39 32256]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 13:47 779496]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [17/01/2008 07:28 109616]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/02/2006 16:51 4096]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [09/09/2005 16:12 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [09/09/2005 16:12 51840]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [09/09/2005 16:12 89749]
S4 SI3114;SiI-3114 SATALink Controller;c:\windows\system32\drivers\SI3114.sys [09/09/2005 16:12 54872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-03-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2010-03-26 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Alex Toh.job
- c:\progra~1\NORTON~1\Navw32.exe [2006-09-07 05:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alex Toh\Application Data\Mozilla\Firefox\Profiles\y7xk6f9w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 22:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-893574795-2921228333-1348766986-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1456)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-27 22:23:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 22:23
ComboFix2.txt 2007-09-30 22:09

Pre-Run: 37,630,050,304 bytes free
Post-Run: 44,207,435,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 2C904C9B13AD306170CD7F17DAA70C52


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 28 March 2010 - 04:04 AM

Hello again,

That cleaned up quite a bit, however since you had a rootkit with backdoor capacity, please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 28 March 2010 - 04:54 AM

Hi,
I have decided to ultimately reformat and reinstall the PC to be 100% sure that the PC is safe for future use.

A few questions beforehand:

1. Before reformat the PC, how do I correctly backup all the data in my PC? If I copy all my data (documents) into an external hard drive, would I introduce the trojan into my external hard drive?

2. Does this infection means that the applications (i.e Microsoft Office, DVD player software, Photoshop etc.) in my PC is now not safe? Can I backup these applications into external hard drive safely?

Thanks you for your time in answering these questions. thumbup2.gif

At the moment, I need this PC for important job application for next 4 weeks. So I will not be reformat the PC until then. In the mean time, I would like to follow the Cleanup procedure to rid of this trojan as best we could.

Cheers.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 28 March 2010 - 05:07 AM

Hi, for information about backups see here

However, please do NOT use it until I give you the all clean. That way you know for sure you don't back up any infected files.

I'll wait for the scan results smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 28 March 2010 - 07:10 AM

Hi, here is the Malwarebyte's scan result log:

Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

28/03/2010 12:59:19
mbam-log-2010-03-28 (12-59-19).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 210461
Time elapsed: 54 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Alex Toh\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxkkmkgxao.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxvwrxwnqq.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0934AD39-726C-46D2-90EF-EF51525C3C2D}\RP0\A0000001.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0934AD39-726C-46D2-90EF-EF51525C3C2D}\RP0\A0000002.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


#15 autoprime

autoprime
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 28 March 2010 - 07:19 AM

When I check, I still have the 'Qoobox folder' with ave.exe.vir and other related files in the C:\ drive. Is this Qoobox folder normal?? blink.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users